linux-crypto.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* Hardware ANSI X9.31 PRNG, handling multiple context?
       [not found] <2345369f0bf4169a1ec792545df7d409dd7fecd1.camel.ref@cs.com>
@ 2019-12-31  2:43 ` Richard van Schagen
  2020-01-09  5:13   ` Herbert Xu
  0 siblings, 1 reply; 2+ messages in thread
From: Richard van Schagen @ 2019-12-31  2:43 UTC (permalink / raw)
  To: linux-crypto

As part of my EIP93 crypto module I would like to implement the PRNG.
This is intented to be used to automaticly insert an IV for IPSEC /
full ESP processing, but can be used "just as PRNG" and its full ANSI
X9.31 compliant.

Looking over the code in "ansi_cprng.c" I can implement the none "FIPS"
part since it doesnt require a reseed everytime. For full FIPS it needs
to be seeded by the user which means if I do this in Hardware I can not
"switch" seeds or reseed with another one from another context becasue
that would not give the expected results.

Is it acceptable to only implement "none-fips" and/or return an error
(-EBUSY ?) when more than 1 call occurs to "cra_init" before the
previous user called "cra_exit" ?

Richard


^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: Hardware ANSI X9.31 PRNG, handling multiple context?
  2019-12-31  2:43 ` Hardware ANSI X9.31 PRNG, handling multiple context? Richard van Schagen
@ 2020-01-09  5:13   ` Herbert Xu
  0 siblings, 0 replies; 2+ messages in thread
From: Herbert Xu @ 2020-01-09  5:13 UTC (permalink / raw)
  To: Richard van Schagen; +Cc: linux-crypto

Richard van Schagen <vschagen@cs.com> wrote:
> As part of my EIP93 crypto module I would like to implement the PRNG.
> This is intented to be used to automaticly insert an IV for IPSEC /
> full ESP processing, but can be used "just as PRNG" and its full ANSI
> X9.31 compliant.
> 
> Looking over the code in "ansi_cprng.c" I can implement the none "FIPS"
> part since it doesnt require a reseed everytime. For full FIPS it needs
> to be seeded by the user which means if I do this in Hardware I can not
> "switch" seeds or reseed with another one from another context becasue
> that would not give the expected results.
> 
> Is it acceptable to only implement "none-fips" and/or return an error
> (-EBUSY ?) when more than 1 call occurs to "cra_init" before the
> previous user called "cra_exit" ?

Yes you could certainly add such a PRNG.  However, please don't make
cra_init return an error.  Instead you should make all tfms of your
PRNG use the same underlying hardware PRNG.  IOW it's as if users
of those tfms are actually using just one tfm.

Cheers,
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-01-09  5:13 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
     [not found] <2345369f0bf4169a1ec792545df7d409dd7fecd1.camel.ref@cs.com>
2019-12-31  2:43 ` Hardware ANSI X9.31 PRNG, handling multiple context? Richard van Schagen
2020-01-09  5:13   ` Herbert Xu

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).